How to Limit the Access of a File System and Subdirectories to a Limited Number of Users

We're looking into limiting user access to a couple of file systems and their subdirectories. Basically, these file systems are the product directories. And we want only 3 people to have access to them.

We're running AIX 5.3.

What we want to do is when the users login to their unix user accounts, that they can't access the product directories. Only 3 people?myself, the senior dba and our boss?would have access to these product directories.

I know I can modify these accounts to not be able to use the cd command?but that would not allow the users to change directories at all?.we just want them not to access the product directories.

And limiting the access on the product directories would bar ALL from accessing them. Like I mentioned, we want only 3 people to have access to the product directories.

I think that just a grant to a specific group and deny to other would be
enough, if i understood well the scenario.
If these dirs must be accessed only by these 3 users, the standard unix
permissions facilities are right.
If it's not the case maybe you can explore other (more complex) ways, but i
'd try with a 0 in the 3rd octet.

2012/6/21 yawe_frek email@removed

> **
> Reply from yawe_frek on Jun 21 at 9:29 AM Well I would suggest you
> create a new group, then change the permission for
> group on the product directory to the new group, and finally add the 3
> members to the new group.
>

Jalal is right, but there are more ways, like restricted shell, but an easy way is this:

Create a new group and call it something that makes sense:
mkgroup -'A' id='222001' users='chris,inge,neil' vipstaff (group name is vipstaff and users are cris, neil and inge)

If your directory is a mounted file system, make sure you have it mounted. Let me use the following example - /data/vipdata
mount /data/vipdata
df -m /data/vipdata (to check)

You then change directory to the parent directory and apply your ownership and permissions accordingly:
cd /data
pwd (will show /data)
chown -R chris:vipstaff vipdata (this will make the user and the group chris and vipstaff and will do it for all the data and subdirectories recursively inside the vipdata directory)

Now here is the magic part. You change permissions:
chmod -R 660 vipdata (this will grant the owner (chris) read and write permission on all files. It will grant all users in the vipstaff group also read and write permission. Lastly it will grant everyone else no read, no write and no execute permission - This covers all FILES in the directory recursively)
chmod 770 vipdata (this will grant the owner (chris) read, write and execute permission on all files. It will grant all users in the vipstaff group also read, write and execute permission. Lastly it will grant everyone else no read, no write and no execute permission - this covers the entire directory)
ls -la vipdata (it should look like this drwxrwx--- ) [ d = directory ; rwx = read+write+exec for owner ; rwx = read+write+exec for group ; --- = nothing for rest of world ]

Remember that a directory needs EXECUTE permission for you to be able to cd into the directory.

Copyright 1998-2015 Ziff Davis, LLC (Toolbox.com). All rights reserved. All product names are trademarks of their respective companies. Toolbox.com is not
affiliated with or endorsed by any company listed at this site.